🔰Registry Persistence Mechanism

Registry persistence mechanisms involve malware modifying the Windows Registry to ensure that it executes automatically whenever the system starts or a user logs in. Here are some common registry-based persistence techniques:

1. Run Keys

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run: Entries in this key execute every time any user logs into the system. This key is commonly used for persistent malware.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: Similar to the above but specific to the currently logged-in user. Malware targeting this key will run only when that user logs in.

2. RunOnce Keys

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce: Entries here run once, and then they are removed from the registry. Malware may use this key to execute and then reinstall itself using another persistence mechanism.

3. Services

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services: Malware can create a new service or modify an existing one to run malicious code at system startup. This key contains information about all installed services.

4. Winlogon and Userinit

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: Malware may modify the Userinit or Shell values to include its executable, ensuring it runs every time the user logs on.

  • Userinit: This value specifies the path of the executable to run at user login.

  • Shell: This value specifies the default shell executable (e.g., explorer.exe), and malware can replace or append its own executable.

5. Explorer Shell Extensions

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved: Malware may add entries to this key to integrate with the Windows shell, ensuring that its code is executed when the Explorer shell starts.

6. Startup Folder

• Although technically not a registry key, malware can create shortcuts in the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) to run on user login. The Startup folder itself can be monitored or modified via registry settings.

7. Other Registry Locations

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run: Similar to Run keys, entries here will execute at startup or login.

Detection and Mitigation

• Detection: Use tools like Regedit, Autoruns, or Sysinternals to inspect registry keys for suspicious entries. Look for unusual paths, executable names, or unknown entries.

• Mitigation: Regularly audit registry keys for unauthorized changes, use endpoint protection software to detect and block malicious changes, and employ least privilege principles to limit the ability of malware to make changes.

Registry-based persistence is a common technique due to its ability to survive reboots and user logins, making it crucial to monitor and analyze registry changes for effective malware detection and removal.